Introduction

Cisco NX-OS Software can provide effective means of exploit identification using the following:

Access Control List identification

Access Control List logging

Spoofing protection using Unicast Reverse Path Forwarding (uRPF)

Cisco NX-OS NetFlow

This document provides identification techniques administrators can deploy on Cisco NX-OS routers and switches to determine whether the mitigation methods described in the Applied Mitigation Bulletin (AMB) are having the desired effect. Readers of this document should note that the specific commands used in this document might differ from the commands they deploy on production devices.

Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Cisco NX-OS Routers and Switches

Identifying the Effectiveness of Access Control Lists

The following are examples of an Access Control List (ACL) used to block TELNET on TCP port 23, TFTP on UDP port 69, and ICMP for both IPv4 and IPv6. This identification method should be used for both transit access-control lists (tACL) and infrastructure access-control lists (iACL). For additional information on tACL and iACL, see the blog post Understanding iACL vs tACL.

After the administrator applies the ACL to an interface, the show ip access-lists and show ipv6 access-list commands will identify the number of IPv4 and IPv6 packets that have been filtered on interfaces on which the iACL is applied. Configure the statistics per-entry command so that access-list entry hit counts will be displayed. The user must change this ACL configuration to match the examples shown in the mitigation sections of the appropriate Applied Mitigation Bulletin. Administrators should investigate filtered packets to determine if they are attempts to exploit security vulnerabilities. Example output for show ip access-lists NX-OS-ACL-Policy and show ipv6 access-lists NX-OS-IPv6-ACL-Policy follows:

In the preceding examples, the logging level for the acllog facility must be configured to be greater than or equal to the acllog match-log-level setting, and the "logging logfile" severity must be equal to or greater than that setting as well. Otherwise, the log messages do not appear in the logs. The value of 3 was chosen, but it is not a required setting. Use the show logging logfile command to view the access list entries in the log.

The Optimized ACL logging feature provides hardware-processing support for ACL logging to minimize the impact to the supervisor CPU. For additional information about the configuration and use of ACL logging, see Understanding Access Control List Logging using NX-OS.

Use the show logging command to inspect the log file. To display the last few lines, use the show logging last command. For additional information see, Cisco NX-OS show logging last command.

In the preceding example, traffic is denied for ICMP, TFTP on UDP port 69, and Telnet on TCP port 23.

Identifying the effectiveness of Unicast Reverse Path Forwarding

Some security vulnerabilities can be exploited by spoofed IP packets. Administrators can deploy and configure Unicast Reverse Path Forwarding (uRPF) as a protection mechanism against spoofing.

uRPF is configured at the interface level and can detect and drop packets that lack a verifiable source IP address. Administrators should not rely on uRPF to provide complete spoofing protection because spoofed packets may enter the network through a uRPF-enabled interface if an appropriate return route to the source IP address exists. Administrators are advised to take care to ensure that the appropriate uRPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic that is transiting the network. In an enterprise environment, uRPF may be enabled at the Internet edge and the internal access layer on the user-supporting Layer 3 interfaces.

With uRPF properly deployed and configured throughout the network infrastructure, administrators can use the show hardware internal statistics module-all device l3lu errorscommand to show RPF drops per module. While the show ip traffic | include rpf command will identify the total number of packets that uRPF has dropped.

Note: The show command | includeregex modifiers are used in the following examples to minimize the output administrators will need to parse to view the desired information. Additional information about command modifiers is in the show command sections of the Cisco NX-OS Configuration Fundamentals Command Reference.

Administrators can configure Cisco IOS NetFlow on Cisco NX-OS routers and switches to aid in the identification of IPv4 traffic flows that may be attempts to exploit security vulnerabilities. Administrators are advised to investigate flows to determine if they are attempts to exploit these vulnerabilities or whether they are legitimate traffic flows. The following output shows identification examples using NetFlow for several different TCP/UDP ports and protocols. For additional information, see How to configure NetFlow on Cisco Nexus 7000 Series Switches using Nx-OS.

The default flow record contains many useful fields; however, custom flow records can be configured. The following is an example of the default flow record.

In the preceding example, there are multiple flows for Telnet on TCP port 23, TFTP on UDP port 69, and ICMP.

Note: ICMP flows are represented in the output using the L4 info (001:00000:02048). The protcol number 1 field is the assigned by Internet Assigned Numbers Authority (IANA). The source and destination field represents the type of ICMP captured by NetFlow. In order to get the ICMP code type convert the decimal to hexidecimal. In this example, 2048 = 0800 which is type_8 code_0 (ICMP echo).

Administrators are advised to compare these flows to baseline utilization for Telnet, TFTP, and ICMP and also investigate the flows to determine if they are sourced from untrusted hosts or networks. The following examples show how to view a specific type of traffic flow in NetFlow records. To view only Telnet flows on TCP port 23 use the show hardware flow ip | include IF|06.*(23) command. To view only UDP packets for TFTP on UDP port 69 use show hardware flow ip | include IF|06.*(23)|17.*(69). To view only ICMP flows use show hardware flow ip | include IF|001:00000:

Administrators can configure Cisco NX-OS NetFlow on Cisco NX-OS routers and switches to aid in the identification of IPv6 traffic flows that may be attempts to exploit Security vulnerabilities. Administrators are advised to investigate flows to determine if they are attempts to exploit security vulnerabilities or whether they are legitimate traffic flows.

The following output is from a Cisco NX-OS device running Cisco NX-OS Software 6.1 train. The command syntax will vary for different Cisco NX-OS Software trains.

In the preceding example, there are multiple IPv6 flows forTelnet on TCP port 23, TFTP on UDP port 69, and ICMP.

Note: ICMP flows are represented in the output using the L4 info (001:00000:02048). The protcol number 1 field is the assigned by Internet Assigned Numbers Authority (IANA). The source and destination field represents the type of ICMP captured by NetFlow. To get the ICMP code type, convert the decimal to hexidecimal. In this example, 2048 = 0800 which is type_8 code_0 (ICMP echo).

Administrators are advised to compare these flows to baseline utilization (such as Telnet in the above example) and also investigate the flows to determine whether they are sourced from untrusted hosts or networks.

If administrators are interested only in a specific type of traffic flow, the following examples show how to view specific NetFlowrecords. To view only Telnet flows on TCP port 23 use theshow hardware flow ipv6 | include IF|06.*(23) command. To view only TFTP flows on UDP port 69 use show hardware flow ip | include IF|17.*(69). To view only ICMP flows useshow hardware flow ip | include IF|001:00000:

Conclusion

In summary, this document presented mitigation identification techniques for Cisco NX-OS ACLs, ACL logging, spoofing protection using uRPF, and Cisco NX-OS NetFlow. It explained how to display attempts to bypass protections and exploit vulnerabilities. It is at the administrator's discretion to modify the show commands used in this document for their own specific needs to identify if security policies deployed to mitigate certain vulnerabilities or threats have been successful.

Additional Information

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of vulnerabilities. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.